3.5 Attacks & exploits: Application attacks Flashcards
Directory Traversals: what Directory Traversal type of attack and what information can you retrieve from it?
▪ Allows access to files, directories, or commands that may or may not be connected to the web document root directory
▪ In a directory traversal, an attacker tries to navigate upwards and out of the web document root directory
▪ Directory traversals may be used to access any file on a system with the right permissions
▪ Attackers may try to use %2E%2E%2F instead of ../
Directory Traversals: what File Inclusion type of attack and what are the different type of file inclusion that exists (2)?
▪ Allows an attacker to download a file from an arbitrary location or upload an executable or script file to open a backdoor
▪ Remote File Inclusion: Executes a script to inject a remote file into the web app or the website
▪ Local File Inclusion: Adds a file to the web app or website that already exists on the hosting server
Cross-Site Scripting (XSS): what is XSS attack?
▪ Injects a malicious script into a trusted site to compromise the site’s visitors
▪ Cross-site scripting (XSS) is a powerful input validation exploit
▪ XSS breaks the browser’s security and trust model
Cross-Site Scripting (XSS): explain the process to perform this attack as an attacker (4)
● Attacker identifies input validation vulnerability within a trusted website
● Attacker crafts a URL to perform code injection against the trusted website
● The trusted site returns a page containing the malicious code injected
● Malicious code runs in the client’s browser with permission level as the trusted site
Cross-Site Scripting (XSS): what are the 2 types of XSS attack?
● Non-Persistent XSS: Happens once
● Persistent XSS: Embedded code
Cross-Site Scripting (XSS): what is Document Object Model (DOM) XSS?
▪ Exploits the client’s web browser using client-side scripts to modify the content and layout of the web page
▪ DOM XSS runs with the logged in user’s privileges of the local system
Cross-Site Request Forgery (CSRF): what is Session Management for ?
Enables web applications to uniquely identify a user across several different actions and requests
Cross-Site Request Forgery (CSRF): what is Cookie for and what are the different types of cookies that exists (2)?
Text file used to store information about a user when they visit a website. Cookie type:
● Non-Persistent Cookie (Session Cookie): Reside in memory
● Persistent Cookie: Stored in browser cache
Cross-Site Request Forgery (CSRF): explain Session Hijacking type of attack and vectors that you can use to do the attack (2)
Disconnects a host and then replaces it with his or her own machine by spoofing the original host IP address. Vector for this attack:
● Session cookie theft
● Non-random tokens
Cross-Site Request Forgery (CSRF): explain Session Prediction type of attack
▪ Predicts a session token to hijack the session
▪ Session tokens must be generated using non-predictable algorithm and must not reveal any info about the session’s client
Cross-Site Request Forgery (CSRF): explain CSRF type of attack
Exploits a session that was started on another site and within the same web browser
Cross-Site Request Forgery (CSRF): how to prevent from CSRF type of attack (3)
● Ensure user-specific tokens are used in all form submissions
● Add randomness and prompt for additional information for password resets
● Require users to enter their current password when changing it
SQL Injections: list the most common SQL commands (4) and explain them
SELECT = Read
INSERT = Write
DELETE = Remove
UPDATE = Overwrite
SQL Injections: what is a code injection?
Inserts additional information or code through a data input form from a client to an application
SQL Injections: what is SQL injection and what vectors can you use to do it (5)?
Injects an SQL query through the input form a client uses to send data to a web application. Vectors for SQLi:
● URL parameters
● Form fields
● Cookies
● POST data
● HTTP headers
SQL Injections: how to prevent SQLi (2)?
● Use input validation and sanitize any data received from users
● Web application firewall
SQL Injections: how to spot SQLi (2)?
If you see ‘OR 1=1; on the exam, it’s an SQL injection
XML Injections/Exploitation/Vulnerability: what is Extensible Markup Language (XML)?
▪ Used by web apps for authentication, authorization, and other types of data exchange
▪ Conduct input validation and sanitization of the data received
XML Injections/Exploitation/Vulnerability: what XML vulnerable to (3)?
● Spoofing
● Request forgery
● Code injection
XML Injections/Exploitation/Vulnerability: what is XML Bomb (Billion Laughs Attack)?
XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it
XML Injections/Exploitation/Vulnerability: what is XML External Entity (XXE) Attack?
Attempts to embed a request for a local resource
XML Injections/Exploitation/Vulnerability: how to prevent those attacks?
To prevent XML vulnerabilities from being exploited, use proper input validation. Unlike XML, HTML or JavaScript use defined keywords for each bracketed entry
Other Injection Attacks: what is LDAP Injection?
Lightweight Directory Access Protocol (LDAP): Protocol for accessing and maintaining distributed directory information services over an Internet Protocol network
Other Injection Attacks: how to prevent LDAP Injection (2)?
● Input validation
● Input sanitization
Other Injection Attacks: what is Command Injection?
Occurs when a threat actor executes arbitrary shell commands on a host via a vulnerable web application
Other Injection Attacks: how to prevent Command Injection (1)?
Input validation: Only accept an IP address or a domain name as input
Process Injection: what is it?
A method of executing arbitrary code in the address space of a separate live process
Process Injection: what are the methods to do a process injection (6)?
- Injection through DLLs
- Thread Execution Hijacking
- Process Hollowing
- Process Doppelganging
- Asynchronous procedure calls
- Portable executable injections
Process Injection: how to prevent a process injection (3)?
● Endpoint security
● Security kernel module
● Least privilege
